CCNA Security Practice Exam

Earning your cisco ccna security certification can be a great raise for your career and also your profession potential customers! To help you you put together for total achievement on cisco ccna voice exam working day, below are ten complimentary questions over the IOS Firewall established. Answers are at the conclusion of the short article. Delight in!

1. Define the time period "DMZ" because it pertains to community safety, and name a few various widespread network equipment which have been typically discovered there.

2. Recognize the true statements.

A. Stateless packet filtering considers the TCP link state.

B. Stateful packet filtering considers the TCP relationship condition.

C. Neither stateless nor stateful packet filtering keep track of the TCP relationship point out.

D. Equally stateless and stateful packet filtering keep track of the TCP link state, and retain a condition table that contains that information.

3. Does the Cisco IOS Firewall aspect established act as a stateful or stateless packet filter?

4. Which of the following are considered parts of the IOS Firewall feature set?

A. IOS Firewall
B. Intrusion Prevention System
C. RADIUS
D. Authentication Proxy
E. Password Encryption

5. Identify the true statements regarding the Authentication Proxy.

A. It's part of the IOS Firewall Feature Set.
B. It allows creation of per-user security profiles, rather than more general profiles.
C. It allows creation of general security profiles, but not per-user profiles.
D. Profiles can be stored locally, but not remotely.
E. Profiles can be stored on a RADIUS server.
F. Profiles can be stored on a TACACS+ server.

6. Configuring ACLs is a vital element of working using the IOS Firewall. What wildcard masks are changed in ACLs via the words and phrases host and any?

seven. Exactly what does the greenback sign in the following ACL line reveal?

R1(config)#$ a hundred and fifty deny ip 172.fifty.fifty.0 0.0.0.255 172.50.one hundred.0 0.0.0.255

8. Essentially, how can an IOS Firewall avert a TCP SYN assault?

nine. What does the phrase "punch a gap in the firewall" make reference to? (Logically, that's, not physically.)

ten. What exactly does the router-traffic solution within the adhering to configuration do?

R4(config)#ip inspect name PASSCCNASECURITY tcp router-traffic
R4(config)#ip inspect name PASSCCNASECURITY udp router-traffic
R4(config)#ip inspect name PASSCCNASECURITY icmp router-traffic

Here are the answers!

1. It's easy to think of your network as the "inside", and everything else as "outside". However, we've got a third area when it comes to firewalls - the DMZ.

From an IT standpoint, the DMZ is the part of our network that is exposed to outside networks. It's common to find the following devices in a DMZ:

FTP server
Email server
E-commerce server
DNS servers
Web servers

2. (B.) Stateful packet filtering does monitor the connection state, and that's particularly important when it comes to preventing TCP attacks. A stateful firewall will not only monitor the state of the TCP connection, but also the sequence numbers. Stateful firewalls accomplish this by keeping a session table, or state table.

3. The Cisco IOS Firewall is a stateful filter.

4. (A, B, D.) There are three major components to the IOS Firewall feature set - the IOS Firewall, the Intrusion Prevention System (IPS), and the Authentication Proxy.

5. (A, B, E, F. T he Authentication Proxy allows us to create security profiles that will be applied on a per-user basis, rather than a per-subnet or per-address basis. These profiles can be kept on either of the following:

RADIUS server

TACACS+ server

On prosperous authentication, that individual user's protection coverage is downloaded from your RADIUS or TACACS+ server and utilized with the IOS Firewall router.

six. Now we have the option of utilizing the word host to stand for a wildcard mask of 0.0.0.0. Contemplate a configuration where only packets from IP resource ten.one.one.1 need to be permitted and all other packets denied. The subsequent ACLs equally do this.

R3#conf t

R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0

R3(config)#conf t

R3(config)#access-list 7 permit host 10.1.1.1

The search phrase any can be utilized to stand for a wildcard mask of 255.255.255.255. Both of those with the next strains permit all targeted visitors.

R3(config)#access-list 15 permit any

R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255

There isn't any "right" or "wrong" conclusion to make when you're configuring ACLs inside the actual planet. In your examination, though, I'd be pretty accustomed to the correct usage of host and any.

7. The dollar indicator merely indicates that part of your command you're moving into or viewing are unable to be shown as the entry is so long. It does not indicate the command is illegitimate.

eight. The IOS Firewall can use any or all in the following values to detect when a TCP SYN assault is underway:

All round full of incomplete TCP sessions

Number of incomplete TCP classes inside a specific quantity of time

Selection of incomplete TCP classes over a per-host basis

When any of those thresholds are arrived at, either of your next steps is often taken:

Block all incoming SYN packets for your certain stretch of time

Transmit a RST to each functions inside the oldest incomplete session

We will check out precise circumstances in foreseeable future tutorials.

9. That term only refers to configuring the firewall to open a port which was beforehand shut. You should not forget to shut it any time you no more need to have it to become open!

10. When you are about to inspect website traffic that is certainly basically produced around the router, you'll want to involve the router-traffic solution at the conclusion of that individual ip examine statement.